Introduction
Unrestricted access to industrial monitoring systems can directly impact the reliability and safety of critical infrastructure. In the case of Packet Power EMX and EG devices, a single missing authentication check in the web interface exposes all monitoring and control functions to anyone with network access. This vulnerability, tracked as CVE-2025-8284, is rated with a CVSS v3.1 score of 9.8 and affects widely deployed hardware in data centers and energy facilities.
About Packet Power: Packet Power is a specialist vendor focused on wireless power and environmental monitoring solutions for data centers, industrial sites, and critical infrastructure. Their EMX (Energy Management Exchange) and EG (Ethernet Gateway) products are used globally, processing over 100 million data points per hour and supporting deployments in more than 30 countries. These devices are integral to facility management, providing real-time insight and control over power and environmental conditions.
Technical Information
CVE-2025-8284 is a direct result of missing authentication enforcement in the Packet Power Monitoring and Control Web Interface for EMX and EG devices running firmware versions prior to 4.1.0. The web interface, accessible over HTTP (typically port 80), allows users to view and manipulate all device monitoring and control functions. In affected versions, there is no requirement to present credentials or authenticate in any way before gaining full access. This is classified as CWE-306 (Missing Authentication for Critical Function).
The vulnerability is trivially exploitable: any user with network connectivity to the device can access the web interface and perform any supported operation, including altering monitoring parameters, viewing sensitive operational data, or changing device configurations. There is no evidence of any authentication logic being present in the affected firmware versions. The flaw is present in all default configurations and does not require any special conditions or privileges to exploit.
No public code snippets or exploit scripts are available as of the publication date. The root cause is the complete absence of an authentication check in the web application's request handling logic for critical functions.
Patch Information
Packet Power has addressed this vulnerability by releasing firmware version 4.1.0 for both EMX and EG devices. This update introduces mandatory authentication for the Monitoring and Control Web Interface, effectively preventing unauthorized access and manipulation of device functions. Users are strongly advised to upgrade to version 4.1.0 to secure their systems.
Reference: CISA ICS Advisory ICSA-25-219-05
Affected Systems and Versions
- Packet Power EMX devices: all firmware versions prior to 4.1.0
- Packet Power EG devices: all firmware versions prior to 4.1.0
All default configurations of these products are vulnerable. The vulnerability is present in the Monitoring and Control Web Interface, accessible over HTTP.
Vendor Security History
Packet Power has previously highlighted advanced security features such as data diodes for highly secure environments. However, the presence of a missing authentication flaw in core products indicates a significant gap in secure development lifecycle practices. No prior public record of similar authentication bypasses in Packet Power products was found in the provided sources. The vendor responded to this disclosure by releasing a patch (firmware 4.1.0) and coordinating with CISA for public advisory publication.